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. HTTP/2 
. HTTP/2 and ALPN 
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. Apache HTTPD 
. Tomcat 
。 Traffic server 
. Demos 


. Questions? 


Who | am 


Jean-Frederic Clere 

Red Hat 

Years writing JAVA code and server software 
Tomcat committer since 2001 

Doing OpenSource since 1999 
Cyclist/Runner etc 

Lived 15 years in Spain (Barcelona) 

Now in Neuchátel (CH) 


Why HTTP/2 
- HTTP/1.1: June 1999 (RFC 2616) 
. 1999: 
— 1 page - 1kB HTML 
. 2019: 
— 1 page ~ 3MB HTML + IMAGES + JS + CSS etc 
- Protocol: 


. Not adapted / inefficient / etc 


HTTP/2 general 
HTTP/2: 


Binary 
Frame 
Multiplex 
Based on SPDY 
TLS everywhere: 
Browser use https and strong ciphers 
No forward proxy 


h2c: Clear text only with reverse proxy (proxy to back-end server) 


HTTP/2 general 


Two specifications: 

- Hypertext Transfer Protocol version 2 - RFC7540 

- HPACK - Header Compression for HTTP/2 - RFC7541 
By the Internet Engineering Task Force 


ALPN Application-Layer Protocol Negotiation - RFC 7301 


HTTP/2 Multiplexed 


Headers = 
Headers 


Headers = 


Headers — ~~ 


Headers 


Headers “alë 


Headers 


HTTP/2 : more 


HTTP headers compression 
- - 80 % save 

Reguest priority 

- Both sides 


Server Push 


- Prevent round trip to get element of a page 


- Faster / better rendering on browsers. 


HTTP/2 With Browsers 


Browser with HTTP/2 and TLS 
- FireFox 34 


- Chrome 40 (with ALPN before was NPN) 
- JE 11 


- Opera and Safari 9 


. — go for it now! 


0. 000000000 46254-8443 [SYN] 
0. 000032000 : 8443-46254 [SYN, 
0. 000049000 : : 46254-8443 [AcK] 


geg x SES 
- 000321000 = TCP 8443-46254 [ACK] 
001006000 3 TLSv1.2 Server Hello, cha 
- 001019000 Sis TCP 46254-8443 [ACK] 
. 001257000 EGE TESI. 2 Change Cipher Spe 
.001471000 sha TLSv1.2 Application Data 
. 001494000 xe TLSv1.2 Application Data 
. 001859000 E TES c2 Application Data 
. 001906000 E TLSv1.2 Application Data 
. 003090000 SC TLSv1.2 Application Data 
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Sorgen re 
ALPN Extension Length: 39 
ALPN Protocol 
ALPN string Length: 5 
ALPN Next Protocol: h2-16 
ALPN string Length: 5 
ALPN Next Protocol: h2-15 
ALPN string length: 5 
ALPN Next Protocol: h2-14 
ALPN string length: 2 
ALPN Next Protocol: h2 
ALPN string length: 8 
ALPN Next Protocol: spdy/3.1 
ALPN string length: 8 
ALPN Next Protocol: http/1.1 


Filter: Expression... 


0. 000000000 TCP 4625458443 [SYN] 
O. 000032000 TCP 8443-46254 [SYN, 
0. 000049000  : TCP 46254-8443 [ACK] 
0.000311000 :: TLSv1.2 Client Hello 

0. 000321000 


0.00101900 - Seq=518 Ac 
0.001257000 TLSv1.2 Change Cipher Spec, Hello Rd 
0.001471000 = TLSv1.2 Application Data 

10 0.001494000 =: TLSv1.2 Application Data 

11 0.001859000 TESVI.2 Application Data 

12 0.001906000 TLSv1.2 Application Data 

13 0.003090000 : TESw1I.2 Application Data 
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Crprier surte: TËS ECDHE RSA WITH AES 128 GCM SHAZSS (UXCUZT } 
Compression Method: null (0) 
Extensions Length: 14 
~ Extension: renegotiation info 
Type: renegotiation info (Oxff01) 
Length: 1 
» Renegotiation Info extension 
~ Extension: Application Layer Protocol Negotiation 
Type: Application Layer Protocol Negotiation (OxOO10) 
Length: 5 
ALPN Extension Length: 3 
~ ALPN Protocol 
ALPN string Length: 2 
ALPN Next Protocol: h2 


Requirements 
OpenSSL for our 3 servers 
- At least 1.0.2c 
。 Tomcat (at least 9.x) 
- Tomcat-native or modern JVM 
Httpd (since 2.4.17) 
- HTTP/2 C Library (libnghttp2) 
. TrafficServer (since ATS v5.3.2). 


- Nothing except openssl. 


Status 


。 Tomcat (trunk/8.5) 
- Full support / released as stable. 
- Needs servlet 4.0 (JSR 369) for server PUSH API (TC 11.0.x) 
- Can't be full JAVA until JDK9 (ALPN support) 
Httpd (available since 2.4.17) 
- Full support (since 2.4.20) 
. TrafficServer (since 5.3.0) (flow control 6.1) 


- Priorities (6.2.0) and Server PUSH (7.0.0) 


TC connector server.xml 


<Connector 
port="8002" 


MaxThreads="150" 

SSLEnabled="true"> 

<SSLHostConfig> 

<Certificate 

certificateFile="/home/jfclere/H3/certs/pubcert.pem" 
certificateKeyFile="/home/jfclere/H3/certs/privkey.pem"/> 

</SSLHostConfig> 

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> 

<Connector/> 
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Concurency 240 


Hcoyote nio jsse h1 https 
© coyote nio jsse hi https 
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File Size 


Concurency 240 


MW coyote nio jsse h1 https 
© coyote nio jsse h2 https 
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Tomcar sens 


No server push (anyway the browsers stop supporting it :-() 
Multiplexing 


headers compression 


HTML page: 


- That requires a lot (~100) of (~4Kbytes) images to render. 
- usea 


TrafficServer / Configuration 


records.yaml 

- traffic_ctl config set proxy.config.http.server_ports "8888:ssl" -c records.yaml 
ss| multicert.config: 

- dest ip=* ssl cert nameznevvcert.pem ssl key nameznewkey.txt.pem 
remap.config: 

- map / http://127.0.0.1:8080 
ip allow.config: 

= src_ip=192.168.1.38 action=ip allow method=ALL 


- src ip-::-ffff:ffff:ffff-ffff-fffE ff FFF: TO action=ip allow method=ALL 
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TrafficServer / Demo 


。 Like tomcat one 


. Uses http/1.1 tomcat nio connector on 8080 
as back-end. 


HTTPd / Configuration 


httpd.conf: 

LoadModule h2 module modules/mod h2.so 

Listen 8006 

<VirtualHost *:8006> 
Protocols h2 http/1.1 
ProtocolsHonorOrder on 
SSLEngine on 
SSLCertificateFile "/home/jfclere/CERTS/newcert.pem" 
SSLCertificateKeyFile "home/jfclere/CERTS/newkey.pem" 
SSLCACertificateFile "/etc/pki/CA/cacert.pem" 


</VirtualHost> 
20 


HTTPd / Configuration proxy 


LoadModule http2_module modules/mod_http2.so 
LoadModule proxy_http2_module modules/mod_proxy_http2.so 
Listen 8006 
<VirtualHost *:8006> 
Protocols h2 http/1.1 
ProtocolsHonorOrder on 


SSLEngine on 


ProxyPass “I” "h2c://localhost:8003/" 


</VirtualHost> 
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HTTPd / Demo 


。 Like the tomcat one: 
- htdocs/http2.html 
- htdocs/images/ the images. 


HTTP/2 move to it? 


. Conclusion: 


- Using HTTP/2 without PUSH is already good. 
- Safer crypto is good but expensive. 


- No need to rewrite application to get the gains. 


HTTP/2: GO FOR IT 


Then Why HTTP/32 
- TCP/IP: 
。 Windows acks: 1 packet lost 一 all the channels blocked. 
- UPD: 


Channels are independent. 
Need higher protocol level to insure integrity. 
Packets might not be received in order. 
- Security: 
Need a patched version of OpenSSL (and use TLS-1.3) 


UDP: cloud 一 no... but DNS 一 used everywhere! 


HTTP/3 (RFC 9114 published June 2022) 


- Use QUIC I TLS-1.3 / UDP 

- To “transport” HTTP/1.1 like HTTP/2 

- Initial connection TCP + Alt-Svc or HTTP/2 
Response Alt-Svc: h3=":56666": 
HTTP/2 ALTSVC frame 

- problems: 
UDP ports closed 
UDP slower than TCP in Kernels 
Needs extra CPU (7) 

- Specifications: 


RC 9114 


Features: HTTP/2 vs HTTP/3 


Transport 

Streams 

Clear text 
Independent streams 
Header compression 
Server push 

Early data 


0-RTT handshake 


HTTP/2 


TCP 
HTTP/2 
yes (h2c: reverse proxy) 


no 


no 


no (TLS-1.2) 


HTTP/3 


UPD/QUIC 
QUIC 

no 

yes 
QPACK 
yes 

yes 


Yes (TLS-1.3+) 


HTTP/3 implementations 
- quiche: 
https://docs.quic.tech/quiche/ 

- Curl: https://curl.se/docs/http3.html 
. ngtcp2 (nghttp3/ngtcp2, patched openssl or GnuTLS) 
. quiche 
. msh3 
。 In experimental at build time. 


- Browser: /firefox (active by default: Apr 2021). 


HTTP/3 in our servers: 


- Apache Tomcat: Problem UDP socket API incomplete (java 15) 


- Apache HTTPD: need time probably like http/2 


。 See ATS docs / curl docs 
。 10-dev: boringSSL and quiche 


TrafficServer / Configuration 
records.yaml 


traffic_ctl config set proxy.config.http.server_ports "4443:quic" -c records.yaml 
traffic ctl config set proxy.config.udp.threads 1 -c records.yaml 
traffic_ctl config set proxy.config.quic.initial max_streams_bidi_in 100000 


traffic_ctl config set proxy.config.quic.initial max_streams_bidi_out 100000 


ss| multicert.config: 


- dest ipz* ssl cert nameznewcert.pem ssl key name=newkey.txt.pem 


remap.config: 


map / http://127.0.0.1:8080 


TrafficServer / H3 Demo 


. Uses tomcat as backend 


. Uses http/1.1 tomcat nio connector on 8080 
as back-end. 


. Uses Apache HTTPD https + mod header to 
create the alt-svc 


TrafficServer / Demo 


. https: //¡fclere.myddns.me:4433/ 
. Response HTTP/1.1 (HTTP/2) header alt-svc 


. alt-svc: h3=":4433": ma=60, h3-29=":4433": ma=60 


. H3-29 (HTTP/3 draft 29) 


. ma=60 seconds = 1 minute. 


. Next requests 一 HTTP/3 


TrafficServer / Demo 


Apache Tomcat 9 (9.0 


e @ ttps://127.0.0.1:4433/ 


Apache Tomcat 9 


Version 9.0.27-dev, Oct 29 2019 


Documentation Index 


Introduction 
User Comments 
This is the top-level entry point of the documentation bundle for the Apache Tomcat Servlet/JSP container. Apache Tomcat version 9.0 implements the Servlet 4.0 and JavaServer Pages 2.3 


User Guide specifications from the Java Community Process, and includes many additional features that make it a useful platform for developing and deploying web applications and web services. 


Select one of the links from the navigation menu (to the left) to drill down to the more detailed documentation that is available. Each available manual is described in more detail below. 


Apache Tomcat User Guide 
The following documents will assist you in downloading and installing Apache Tomcat, and using many of the Apache Tomcat features. 


. Introduction - A brief, high level, overview of Apache Tomcat. 
9) JNDI R! . Setup - How to install and run Apache Tomcat on a variety of platforms. 
10) JDBC Data rces . First web application - An introduction to the concepts of a web application as defined in the Servlet Specification. Covers basic organization of your web application source tree, the 
structure of a web application archive, and an introduction to the web application deployment descriptor (/WEB - INF/web . xml). 
. Deployer - Operating the Apache Tomcat Deployer to deploy, precompile, and validate web applications. 
. Manager - Operating the Manager web app to deploy, undeploy, and redeploy applications while Apache Tomcat is running. 
. Host Manager - Operating the Host Manager web app to add and remove virtual hosts while Apache Tomcat is running. 
. Realms and Access Control - Description of how to configure Realms (databases of users, pafswords, and their associated roles) for use in web applications that utilize Container 
Managed Security. 
8. Security Manager - Configuring and using a Java Security Manager to support fine-grained control over the behavior of your web applications. 
9. JNDI Resources - Configuring standard and custom resources In the JNDI naming context that is provided to each web application. 
10. JDBC DataSource - Configuring a JNDI DataSource with a DB connection pool. Examples for many popular databases. 
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TrafficServer / Demo 


à Security Manager to support fine-grained control over the behavior of your web applications. 


om resources in the JNDI naming context that is provided to each web application. 
e with a DB connection pool. Examples for many popular databases. 
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Edit and Resend 


Raw Headers 


HTTP/3 more info: 


- Playing with browsers: 

SR 

. H3 activated by default since 2021 in Firefox/Chrome 
- OpenSSL 3.3.x (3.2.x has a client QUIC API) 


HTTP/3 openssl + nghttp3 


- Basic client: 
SUSE UE 
。 using nghttp3 main. big callback and few functions 
. Using openssl master to provide the QUIC layer. 


SSL *new ssl = SSL accept stream(s, 0); 


HTTP/3 ready? 
. Conclusion: 


- Not more a draft, last draft was H3-34. 
- UDP versus TCP. 


- Needs forked version of openssl... (O-RTT). 
- Or BoringSSL. 


- No need to rewrite application to get the gains. 


HTTP/3 : wait 


e users(ghttpd.apache.org 


Questions? 
: jfelereOamailcon [hank you! 


users@tomcat.apache.or 


users@trafficserver.apache.or 


e  hítps://http2 github.io/ https://github.com/ngtcp2/nghttp3. git 


Client tries: https://aithub.com/ifclere/openssl-h3-examples 


HT TP/3 see curl docs: http3-explained by Daniel 
More on HTP/3: https //aithub.com/jfclere/CoC23/tree/main/h3 
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